Exhibit 7-6 presents the components of the tests of controls phase of the audit.

The tests of controls involve audit procedures designed to evaluate both general controls and application controls. Recall from Chapter 4 that general controls relate to all aspects of the IT environment, whereas application controls relate to specific software applications that cover a particular type of transaction. During audit planning, auditors must learn about the types of controls that exist within their client's IT environment. Then they may test those controls to determine whether they are reliable as a means of reducing risk. Tests of controls are sometimes referred to as “compliance tests,” because they are designed to determine whether the controls are functioning in compliance with management's intentions. The following section discusses how these controls are evaluated.


General controls must be tested before application controls are. Since general controls are the automated controls that affect all computer applications, the reliability of application controls is considered only after general controls are deemed reliable. In other words, even when application controls are believed to be strong, misstatements may still exist as a result of weak general controls. For example, if there were a lack of physical controls, a company's hardware and software could be accessed by an unauthorized user who could alter the data or the programs. ...

Get Accounting Information Systems: The Processes and Controls, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.